CVE-2025-4127 is a stored Cross-Site Scripting vulnerability classified under CWE-79 found in the WP SEO Structured Data Schema plugin for WordPress, affecting all versions up to and including 2.7.11. The vulnerability stems from insufficient sanitization and escaping of user-supplied input in the 'Price Range' parameter. Authenticated attackers with Contributor-level permissions or higher can inject arbitrary JavaScript code into this parameter. Because the malicious script is stored persistently, it executes whenever an administrator accesses the plugin's settings page, potentially allowing attackers to hijack admin sessions, steal credentials, or perform actions with elevated privileges. The vulnerability has a CVSS 3.1 base score of 6.4, reflecting a medium severity with network attack vector, low attack complexity, requiring privileges but no user interaction, and impacting confidentiality and integrity with a scope change. No public exploits are currently known, but the vulnerability is publicly disclosed and assigned by Wordfence and enriched by CISA. The lack of patches at the time of disclosure necessitates immediate mitigation steps to reduce risk.

The primary impact of this vulnerability is the compromise of administrative accounts and site integrity on WordPress installations using the affected plugin. Successful exploitation allows attackers to execute arbitrary scripts in the context of an administrator’s browser, leading to session hijacking, credential theft, or unauthorized actions within the WordPress dashboard. This can result in site defacement, data leakage, or further compromise of the hosting environment. Since the vulnerability requires authenticated access at Contributor level or above, insider threats or compromised lower-privilege accounts can escalate their impact. Organizations relying on this plugin for SEO structured data risk disruption of their website management and potential reputational damage. The scope change in the CVSS vector indicates that the vulnerability can affect components beyond the initial user context, increasing the severity of impact.

1. Immediately restrict Contributor-level and higher user permissions to trusted personnel only until the vulnerability is patched. 2. Monitor and audit Contributor and higher user activities for suspicious behavior or unauthorized changes. 3. Implement Web Application Firewall (WAF) rules to detect and block malicious payloads targeting the 'Price Range' parameter. 4. Disable or remove the WP SEO Structured Data Schema plugin if it is not essential to reduce attack surface. 5. Regularly update the plugin once a security patch is released by the vendor. 6. Educate administrators to avoid visiting plugin settings pages from untrusted networks or devices. 7. Employ Content Security Policy (CSP) headers to restrict script execution sources, mitigating impact of injected scripts. 8. Conduct periodic vulnerability scans and penetration tests focusing on WordPress plugins and user input handling. These steps go beyond generic advice by focusing on access control, monitoring, and layered defenses tailored to this specific vulnerability.